<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width,initial-scale=1">
    <title>9. Kubernetes详细教程-安全认证 | 小鹏杂谈</title>
    <meta name="generator" content="VuePress 1.8.2">
    <link rel="icon" href="/favicon.ico">
    <meta name="description" content="小鹏杂谈">
    <meta name="viewport" content="width=device-width,initial-scale=1,user-scalable=no">
    
    <link rel="preload" href="/assets/css/0.styles.8516fda1.css" as="style"><link rel="preload" href="/assets/js/app.b9ccfc55.js" as="script"><link rel="preload" href="/assets/js/4.8390fbcb.js" as="script"><link rel="preload" href="/assets/js/1.3334f995.js" as="script"><link rel="preload" href="/assets/js/19.459fc46f.js" as="script"><link rel="prefetch" href="/assets/js/10.8eb4e356.js"><link rel="prefetch" href="/assets/js/11.31befa4c.js"><link rel="prefetch" href="/assets/js/12.da37eb75.js"><link rel="prefetch" href="/assets/js/13.b24ba73c.js"><link rel="prefetch" href="/assets/js/14.3bbed283.js"><link rel="prefetch" href="/assets/js/15.fac60f8d.js"><link rel="prefetch" href="/assets/js/16.b75d2036.js"><link rel="prefetch" href="/assets/js/17.116317c5.js"><link rel="prefetch" href="/assets/js/18.80fdbeda.js"><link rel="prefetch" href="/assets/js/20.452f30f9.js"><link rel="prefetch" href="/assets/js/21.99f641dc.js"><link rel="prefetch" href="/assets/js/22.081dc33b.js"><link rel="prefetch" href="/assets/js/23.d3455a59.js"><link rel="prefetch" href="/assets/js/24.8f5d39e0.js"><link rel="prefetch" href="/assets/js/25.c3dc47fb.js"><link rel="prefetch" href="/assets/js/26.d93b5cf2.js"><link rel="prefetch" href="/assets/js/27.6d2089a5.js"><link rel="prefetch" href="/assets/js/28.57336847.js"><link rel="prefetch" href="/assets/js/29.903b5e06.js"><link rel="prefetch" href="/assets/js/3.32100170.js"><link rel="prefetch" href="/assets/js/30.274666a3.js"><link rel="prefetch" href="/assets/js/31.fa9bd0f8.js"><link rel="prefetch" href="/assets/js/32.20179720.js"><link rel="prefetch" href="/assets/js/33.2dcc611d.js"><link rel="prefetch" href="/assets/js/34.ba79122c.js"><link rel="prefetch" href="/assets/js/35.bcd9298f.js"><link rel="prefetch" href="/assets/js/36.bf6245d9.js"><link rel="prefetch" href="/assets/js/37.734eb893.js"><link rel="prefetch" href="/assets/js/38.26999070.js"><link rel="prefetch" href="/assets/js/39.cc1f016d.js"><link rel="prefetch" href="/assets/js/40.da84c263.js"><link rel="prefetch" href="/assets/js/41.a96b8efa.js"><link rel="prefetch" href="/assets/js/42.d586cccb.js"><link rel="prefetch" href="/assets/js/43.69bb61aa.js"><link rel="prefetch" href="/assets/js/44.3be5a840.js"><link rel="prefetch" href="/assets/js/45.208a3bc3.js"><link rel="prefetch" href="/assets/js/46.2d6cacad.js"><link rel="prefetch" href="/assets/js/47.5add378a.js"><link rel="prefetch" href="/assets/js/48.587139cc.js"><link rel="prefetch" href="/assets/js/49.57f7c25a.js"><link rel="prefetch" href="/assets/js/5.ff1e84d1.js"><link rel="prefetch" href="/assets/js/50.efde6e4a.js"><link rel="prefetch" href="/assets/js/51.c9447e5f.js"><link rel="prefetch" href="/assets/js/52.57a51c35.js"><link rel="prefetch" href="/assets/js/53.4be0f240.js"><link rel="prefetch" href="/assets/js/54.8dabd349.js"><link rel="prefetch" href="/assets/js/55.3b8ae0e4.js"><link rel="prefetch" href="/assets/js/56.07e830b2.js"><link rel="prefetch" href="/assets/js/57.8c0dbdcc.js"><link rel="prefetch" href="/assets/js/58.63387df6.js"><link rel="prefetch" href="/assets/js/59.959bb8c8.js"><link rel="prefetch" href="/assets/js/6.56a2b5cd.js"><link rel="prefetch" href="/assets/js/60.1041d86f.js"><link rel="prefetch" href="/assets/js/61.f58e6c18.js"><link rel="prefetch" href="/assets/js/62.a1a460c7.js"><link rel="prefetch" href="/assets/js/63.6c611c7d.js"><link rel="prefetch" href="/assets/js/64.6711119c.js"><link rel="prefetch" href="/assets/js/65.4655c3b1.js"><link rel="prefetch" href="/assets/js/66.e5dfe864.js"><link rel="prefetch" href="/assets/js/67.37515de0.js"><link rel="prefetch" href="/assets/js/68.0c8ba92d.js"><link rel="prefetch" href="/assets/js/69.52121d38.js"><link rel="prefetch" href="/assets/js/7.6f143d9f.js"><link rel="prefetch" href="/assets/js/70.1ab4d6a1.js"><link rel="prefetch" href="/assets/js/71.dc99dd1d.js"><link rel="prefetch" href="/assets/js/72.02e21e52.js"><link rel="prefetch" href="/assets/js/73.21efc121.js"><link rel="prefetch" href="/assets/js/74.649f4e1d.js"><link rel="prefetch" href="/assets/js/75.331c13e7.js"><link rel="prefetch" href="/assets/js/76.a94b5ff0.js"><link rel="prefetch" href="/assets/js/8.d4d40f2a.js"><link rel="prefetch" href="/assets/js/9.1b8824e7.js">
    <link rel="stylesheet" href="/assets/css/0.styles.8516fda1.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container no-sidebar" data-v-1156296a><div data-v-1156296a><div id="loader-wrapper" class="loading-wrapper" data-v-d48f4d20 data-v-1156296a data-v-1156296a><div class="loader-main" data-v-d48f4d20><div data-v-d48f4d20></div><div data-v-d48f4d20></div><div data-v-d48f4d20></div><div data-v-d48f4d20></div></div> <!----> <!----></div> <div class="password-shadow password-wrapper-out" style="display:none;" data-v-4e82dffc data-v-1156296a data-v-1156296a><h3 class="title" data-v-4e82dffc data-v-4e82dffc>小鹏杂谈</h3> <p class="description" data-v-4e82dffc data-v-4e82dffc>小鹏杂谈</p> <label id="box" class="inputBox" data-v-4e82dffc data-v-4e82dffc><input type="password" value="" data-v-4e82dffc> <span data-v-4e82dffc>Konck! Knock!</span> <button data-v-4e82dffc>OK</button></label> <div class="footer" data-v-4e82dffc data-v-4e82dffc><span data-v-4e82dffc><i class="iconfont reco-theme" data-v-4e82dffc></i> <a target="blank" href="https://vuepress-theme-reco.recoluan.com" data-v-4e82dffc>vuePress-theme-reco</a></span> <span data-v-4e82dffc><i class="iconfont reco-copyright" data-v-4e82dffc></i> <a data-v-4e82dffc><span data-v-4e82dffc>lzpeng723</span>
            
          <span data-v-4e82dffc>2021 - </span>
          2022
        </a></span></div></div> <div class="hide" data-v-1156296a><header class="navbar" data-v-1156296a><div class="sidebar-button"><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" role="img" viewBox="0 0 448 512" class="icon"><path fill="currentColor" d="M436 124H12c-6.627 0-12-5.373-12-12V80c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12zm0 160H12c-6.627 0-12-5.373-12-12v-32c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12zm0 160H12c-6.627 0-12-5.373-12-12v-32c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12z"></path></svg></div> <a href="/" class="home-link router-link-active"><img src="/logo.png" alt="小鹏杂谈" class="logo"> <span class="site-name">小鹏杂谈</span></a> <div class="links"><div class="color-picker"><a class="color-button"><i class="iconfont reco-color"></i></a> <div class="color-picker-menu" style="display:none;"><div class="mode-options"><h4 class="title">Choose mode</h4> <ul class="color-mode-options"><li class="dark">dark</li><li class="auto active">auto</li><li class="light">light</li></ul></div></div></div> <div class="search-box"><i class="iconfont reco-search"></i> <input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><div class="nav-item"><a href="/" class="nav-link"><i class="iconfont reco-home"></i>
  首页
</a></div><div class="nav-item"><div class="dropdown-wrapper"><a class="dropdown-title"><span class="title"><i class="iconfont reco-category"></i>
      分类
    </span> <span class="arrow right"></span></a> <ul class="nav-dropdown" style="display:none;"><li class="dropdown-item"><!----> <a href="/categories/运维/" class="nav-link"><i class="undefined"></i>
  运维
</a></li><li class="dropdown-item"><!----> <a href="/categories/开发/" class="nav-link"><i class="undefined"></i>
  开发
</a></li><li class="dropdown-item"><!----> <a href="/categories/后端/" class="nav-link"><i class="undefined"></i>
  后端
</a></li><li class="dropdown-item"><!----> <a href="/categories/前端/" class="nav-link"><i class="undefined"></i>
  前端
</a></li><li class="dropdown-item"><!----> <a href="/categories/软件/" class="nav-link"><i class="undefined"></i>
  软件
</a></li><li class="dropdown-item"><!----> <a href="/categories/文档/" class="nav-link"><i class="undefined"></i>
  文档
</a></li><li class="dropdown-item"><!----> <a href="/categories/数据库/" class="nav-link"><i class="undefined"></i>
  数据库
</a></li><li class="dropdown-item"><!----> <a href="/categories/Node.js/" class="nav-link"><i class="undefined"></i>
  Node.js
</a></li><li class="dropdown-item"><!----> <a href="/categories/游戏/" class="nav-link"><i class="undefined"></i>
  游戏
</a></li></ul></div></div><div class="nav-item"><a href="/tag/" class="nav-link"><i class="iconfont reco-tag"></i>
  标签
</a></div><div class="nav-item"><a href="/timeline/" class="nav-link"><i class="iconfont reco-date"></i>
  时间线
</a></div><div class="nav-item"><div class="dropdown-wrapper"><a class="dropdown-title"><span class="title"><i class="iconfont reco-message"></i>
      文档
    </span> <span class="arrow right"></span></a> <ul class="nav-dropdown" style="display:none;"><li class="dropdown-item"><!----> <a href="/docs/minimal-boot/" class="nav-link"><i class="undefined"></i>
  minimal-boot
</a></li><li class="dropdown-item"><!----> <a href="/docs/minimal-cloud/" class="nav-link"><i class="undefined"></i>
  minimal-cloud
</a></li></ul></div></div><div class="nav-item"><div class="dropdown-wrapper"><a class="dropdown-title"><span class="title"><i class="iconfont reco-message"></i>
      联系方式
    </span> <span class="arrow right"></span></a> <ul class="nav-dropdown" style="display:none;"><li class="dropdown-item"><!----> <a href="https://github.com/lzpeng723" target="_blank" rel="noopener noreferrer" class="nav-link external"><i class="iconfont reco-github"></i>
  GitHub
  <span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></li><li class="dropdown-item"><!----> <a href="https://gitee.com/lzpeng723" target="_blank" rel="noopener noreferrer" class="nav-link external"><i class="iconfont reco-mayun"></i>
  Gitee
  <span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></li><li class="dropdown-item"><!----> <a href="https://www.zhihu.com/people/lzpeng723" target="_blank" rel="noopener noreferrer" class="nav-link external"><i class="iconfont reco-zhihu"></i>
  知乎
  <span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></li></ul></div></div> <!----></nav></div></header> <div class="sidebar-mask" data-v-1156296a></div> <aside class="sidebar" data-v-1156296a><div class="personal-info-wrapper" data-v-828910c6 data-v-1156296a><img src="/avatar.jpg" alt="author-avatar" class="personal-img" data-v-828910c6> <h3 class="name" data-v-828910c6>
    lzpeng723
  </h3> <div class="num" data-v-828910c6><div data-v-828910c6><h3 data-v-828910c6>66</h3> <h6 data-v-828910c6>Articles</h6></div> <div data-v-828910c6><h3 data-v-828910c6>19</h3> <h6 data-v-828910c6>Tags</h6></div></div> <ul class="social-links" data-v-828910c6></ul> <hr data-v-828910c6></div> <nav class="nav-links"><div class="nav-item"><a href="/" class="nav-link"><i class="iconfont reco-home"></i>
  首页
</a></div><div class="nav-item"><div class="dropdown-wrapper"><a class="dropdown-title"><span class="title"><i class="iconfont reco-category"></i>
      分类
    </span> <span class="arrow right"></span></a> <ul class="nav-dropdown" style="display:none;"><li class="dropdown-item"><!----> <a href="/categories/运维/" class="nav-link"><i class="undefined"></i>
  运维
</a></li><li class="dropdown-item"><!----> <a href="/categories/开发/" class="nav-link"><i class="undefined"></i>
  开发
</a></li><li class="dropdown-item"><!----> <a href="/categories/后端/" class="nav-link"><i class="undefined"></i>
  后端
</a></li><li class="dropdown-item"><!----> <a href="/categories/前端/" class="nav-link"><i class="undefined"></i>
  前端
</a></li><li class="dropdown-item"><!----> <a href="/categories/软件/" class="nav-link"><i class="undefined"></i>
  软件
</a></li><li class="dropdown-item"><!----> <a href="/categories/文档/" class="nav-link"><i class="undefined"></i>
  文档
</a></li><li class="dropdown-item"><!----> <a href="/categories/数据库/" class="nav-link"><i class="undefined"></i>
  数据库
</a></li><li class="dropdown-item"><!----> <a href="/categories/Node.js/" class="nav-link"><i class="undefined"></i>
  Node.js
</a></li><li class="dropdown-item"><!----> <a href="/categories/游戏/" class="nav-link"><i class="undefined"></i>
  游戏
</a></li></ul></div></div><div class="nav-item"><a href="/tag/" class="nav-link"><i class="iconfont reco-tag"></i>
  标签
</a></div><div class="nav-item"><a href="/timeline/" class="nav-link"><i class="iconfont reco-date"></i>
  时间线
</a></div><div class="nav-item"><div class="dropdown-wrapper"><a class="dropdown-title"><span class="title"><i class="iconfont reco-message"></i>
      文档
    </span> <span class="arrow right"></span></a> <ul class="nav-dropdown" style="display:none;"><li class="dropdown-item"><!----> <a href="/docs/minimal-boot/" class="nav-link"><i class="undefined"></i>
  minimal-boot
</a></li><li class="dropdown-item"><!----> <a href="/docs/minimal-cloud/" class="nav-link"><i class="undefined"></i>
  minimal-cloud
</a></li></ul></div></div><div class="nav-item"><div class="dropdown-wrapper"><a class="dropdown-title"><span class="title"><i class="iconfont reco-message"></i>
      联系方式
    </span> <span class="arrow right"></span></a> <ul class="nav-dropdown" style="display:none;"><li class="dropdown-item"><!----> <a href="https://github.com/lzpeng723" target="_blank" rel="noopener noreferrer" class="nav-link external"><i class="iconfont reco-github"></i>
  GitHub
  <span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></li><li class="dropdown-item"><!----> <a href="https://gitee.com/lzpeng723" target="_blank" rel="noopener noreferrer" class="nav-link external"><i class="iconfont reco-mayun"></i>
  Gitee
  <span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></li><li class="dropdown-item"><!----> <a href="https://www.zhihu.com/people/lzpeng723" target="_blank" rel="noopener noreferrer" class="nav-link external"><i class="iconfont reco-zhihu"></i>
  知乎
  <span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></li></ul></div></div> <!----></nav> <!----> </aside> <div class="password-shadow password-wrapper-in" style="display:none;" data-v-4e82dffc data-v-1156296a><h3 class="title" data-v-4e82dffc data-v-4e82dffc>9. Kubernetes详细教程-安全认证</h3> <!----> <label id="box" class="inputBox" data-v-4e82dffc data-v-4e82dffc><input type="password" value="" data-v-4e82dffc> <span data-v-4e82dffc>Konck! Knock!</span> <button data-v-4e82dffc>OK</button></label> <div class="footer" data-v-4e82dffc data-v-4e82dffc><span data-v-4e82dffc><i class="iconfont reco-theme" data-v-4e82dffc></i> <a target="blank" href="https://vuepress-theme-reco.recoluan.com" data-v-4e82dffc>vuePress-theme-reco</a></span> <span data-v-4e82dffc><i class="iconfont reco-copyright" data-v-4e82dffc></i> <a data-v-4e82dffc><span data-v-4e82dffc>lzpeng723</span>
            
          <span data-v-4e82dffc>2021 - </span>
          2022
        </a></span></div></div> <div data-v-1156296a><main class="page"><section><div class="page-title"><h1 class="title">9. Kubernetes详细教程-安全认证</h1> <div data-v-1ff7123e><i class="iconfont reco-account" data-v-1ff7123e><span data-v-1ff7123e>lzpeng723</span></i> <i class="iconfont reco-date" data-v-1ff7123e><span data-v-1ff7123e>11/2/2021</span></i> <!----> <i class="tags iconfont reco-tag" data-v-1ff7123e><span class="tag-item" data-v-1ff7123e>Kubernetes</span></i></div></div> <div class="theme-reco-content content__default"><p><a href="https://gitee.com/yooome/golang/blob/main/k8s%E8%AF%A6%E7%BB%86%E6%95%99%E7%A8%8B/Kubernetes%E8%AF%A6%E7%BB%86%E6%95%99%E7%A8%8B.md#9-%E5%AE%89%E5%85%A8%E8%AE%A4%E8%AF%81" target="_blank" rel="noopener noreferrer">原文链接<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a> <a href="https://www.bilibili.com/video/BV1Qv41167ck?p=80" target="_blank" rel="noopener noreferrer">视频教程<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <h1 id="_9-安全认证"><a href="#_9-安全认证" class="header-anchor">#</a> 9. 安全认证</h1> <h2 id="_9-1-访问控制概述"><a href="#_9-1-访问控制概述" class="header-anchor">#</a> 9.1 访问控制概述</h2> <p>Kubernetes作为一个分布式集群的管理工具，保证集群的安全性是其一个重要的任务。所谓的安全性其实就是保证对Kubernetes的各种<strong>客户端</strong>进行<strong>认证和鉴权</strong>操作。</p> <p><strong>客户端</strong></p> <p>在Kubernetes集群中，客户端通常有两类：</p> <ul><li><strong>User Account</strong>：一般是独立于kubernetes之外的其他服务管理的用户账号。</li> <li><strong>Service Account</strong>：kubernetes管理的账号，用于为Pod中的服务进程在访问Kubernetes时提供身份标识。</li></ul> <p><img src="/assets/img/image-20200520102949189.5fd250f6.png" alt="img"></p> <p><strong>认证、授权与准入控制</strong></p> <p>ApiServer是访问及管理资源对象的唯一入口。任何一个请求访问ApiServer，都要经过下面三个流程：</p> <ul><li>Authentication（认证）：身份鉴别，只有正确的账号才能够通过认证</li> <li>Authorization（授权）： 判断用户是否有权限对访问的资源执行特定的动作</li> <li>Admission Control（准入控制）：用于补充授权机制以实现更加精细的访问控制功能。</li></ul> <p><img src="/assets/img/image-20200520103942580.10834b9b.png" alt="img"></p> <h2 id="_9-2-认证管理"><a href="#_9-2-认证管理" class="header-anchor">#</a> 9.2 认证管理</h2> <p>Kubernetes集群安全的最关键点在于如何识别并认证客户端身份，它提供了3种客户端身份认证方式：</p> <ul><li><p>HTTP Base认证：通过用户名+密码的方式认证</p> <p>这种认证方式是把“用户名:密码”用BASE64算法进行编码后的字符串放在HTTP请求中的Header Authorization域里发送给服务端。服务端收到后进行解码，获取用户名及密码，然后进行用户身份认证的过程。</p></li> <li><p>HTTP Token认证：通过一个Token来识别合法用户</p> <p>这种认证方式是用一个很长的难以被模仿的字符串--Token来表明客户身份的一种方式。每个Token对应一个用户名，当客户端发起API调用请求时，需要在HTTP Header里放入Token，API Server接到Token后会跟服务器中保存的token进行比对，然后进行用户身份认证的过程。</p></li> <li><p>HTTPS证书认证：基于CA根证书签名的双向数字证书认证方式</p> <p>这种认证方式是安全性最高的一种方式，但是同时也是操作起来最麻烦的一种方式。</p></li></ul> <p><img src="/assets/img/image-20200518211037434.9dff23bf.png" alt="img"></p> <p><strong>HTTPS认证大体分为3个过程：</strong></p> <ol><li><p>证书申请和下发</p> <p>HTTPS通信双方的服务器向CA机构申请证书，CA机构下发根证书、服务端证书及私钥给申请者</p></li> <li><p>客户端和服务端的双向认证</p> <p>1&gt; 客户端向服务器端发起请求，服务端下发自己的证书给客户端，
客户端接收到证书后，通过私钥解密证书，在证书中获得服务端的公钥，
客户端利用服务器端的公钥认证证书中的信息，如果一致，则认可这个服务器</p> <p>2&gt; 客户端发送自己的证书给服务器端，服务端接收到证书后，通过私钥解密证书，
在证书中获得客户端的公钥，并用该公钥认证证书信息，确认客户端是否合法</p></li> <li><p>服务器端和客户端进行通信</p> <p>服务器端和客户端协商好加密方案后，客户端会产生一个随机的秘钥并加密，然后发送到服务器端。
服务器端接收这个秘钥后，双方接下来通信的所有内容都通过该随机秘钥加密</p></li></ol> <blockquote><p>注意: Kubernetes允许同时配置多种认证方式，只要其中任意一个方式认证通过即可</p></blockquote> <h2 id="_9-3-授权管理"><a href="#_9-3-授权管理" class="header-anchor">#</a> 9.3 授权管理</h2> <p>授权发生在认证成功之后，通过认证就可以知道请求用户是谁， 然后Kubernetes会根据事先定义的授权策略来决定用户是否有权限访问，这个过程就称为授权。</p> <p>每个发送到ApiServer的请求都带上了用户和资源的信息：比如发送请求的用户、请求的路径、请求的动作等，授权就是根据这些信息和授权策略进行比较，如果符合策略，则认为授权通过，否则会返回错误。</p> <p>API Server目前支持以下几种授权策略：</p> <ul><li>AlwaysDeny：表示拒绝所有请求，一般用于测试</li> <li>AlwaysAllow：允许接收所有请求，相当于集群不需要授权流程（Kubernetes默认的策略）</li> <li>ABAC：基于属性的访问控制，表示使用用户配置的授权规则对用户请求进行匹配和控制</li> <li>Webhook：通过调用外部REST服务对用户进行授权</li> <li>Node：是一种专用模式，用于对kubelet发出的请求进行访问控制</li> <li>RBAC：基于角色的访问控制（kubeadm安装方式下的默认选项）</li></ul> <p>RBAC(Role-Based Access Control) 基于角色的访问控制，主要是在描述一件事情：<strong>给哪些对象授予了哪些权限</strong></p> <p>其中涉及到了下面几个概念：</p> <ul><li>对象：User、Groups、ServiceAccount</li> <li>角色：代表着一组定义在资源上的可操作动作(权限)的集合</li> <li>绑定：将定义好的角色跟用户绑定在一起</li></ul> <p><img src="/assets/img/image-20200519181209566.b0891456.png" alt="img"></p> <p>RBAC引入了4个顶级资源对象：</p> <ul><li>Role、ClusterRole：角色，用于指定一组权限</li> <li>RoleBinding、ClusterRoleBinding：角色绑定，用于将角色（权限）赋予给对象</li></ul> <p><strong>Role、ClusterRole</strong></p> <p>一个角色就是一组权限的集合，这里的权限都是许可形式的（白名单）。</p> <div class="language-yaml line-numbers-mode"><pre class="language-yaml"><code><span class="token comment"># Role只能对命名空间内的资源进行授权，需要指定nameapce</span>
<span class="token key atrule">kind</span><span class="token punctuation">:</span> Role
<span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1beta1
<span class="token key atrule">metadata</span><span class="token punctuation">:</span>
  <span class="token key atrule">namespace</span><span class="token punctuation">:</span> dev
  <span class="token key atrule">name</span><span class="token punctuation">:</span> authorization<span class="token punctuation">-</span>role
<span class="token key atrule">rules</span><span class="token punctuation">:</span>
<span class="token punctuation">-</span> <span class="token key atrule">apiGroups</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">&quot;&quot;</span><span class="token punctuation">]</span>  <span class="token comment"># 支持的API组列表,&quot;&quot; 空字符串，表示核心API群</span>
  <span class="token key atrule">resources</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">&quot;pods&quot;</span><span class="token punctuation">]</span> <span class="token comment"># 支持的资源对象列表</span>
  <span class="token key atrule">verbs</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">&quot;get&quot;</span><span class="token punctuation">,</span> <span class="token string">&quot;watch&quot;</span><span class="token punctuation">,</span> <span class="token string">&quot;list&quot;</span><span class="token punctuation">]</span> <span class="token comment"># 允许的对资源对象的操作方法列表</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br></div></div><div class="language-yaml line-numbers-mode"><pre class="language-yaml"><code><span class="token comment"># ClusterRole可以对集群范围内资源、跨namespaces的范围资源、非资源类型进行授权</span>
<span class="token key atrule">kind</span><span class="token punctuation">:</span> ClusterRole
<span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1beta1
<span class="token key atrule">metadata</span><span class="token punctuation">:</span>
 <span class="token key atrule">name</span><span class="token punctuation">:</span> authorization<span class="token punctuation">-</span>clusterrole
<span class="token key atrule">rules</span><span class="token punctuation">:</span>
<span class="token punctuation">-</span> <span class="token key atrule">apiGroups</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">&quot;&quot;</span><span class="token punctuation">]</span>
  <span class="token key atrule">resources</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">&quot;pods&quot;</span><span class="token punctuation">]</span>
  <span class="token key atrule">verbs</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">&quot;get&quot;</span><span class="token punctuation">,</span> <span class="token string">&quot;watch&quot;</span><span class="token punctuation">,</span> <span class="token string">&quot;list&quot;</span><span class="token punctuation">]</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br></div></div><p>需要详细说明的是，rules中的参数：</p> <ul><li><p>apiGroups: 支持的API组列表</p> <p><code>&quot;&quot;,&quot;apps&quot;, &quot;autoscaling&quot;, &quot;batch&quot;</code></p></li> <li><p>resources：支持的资源对象列表</p> <p><code>&quot;services&quot;, &quot;endpoints&quot;, &quot;pods&quot;,&quot;secrets&quot;,&quot;configmaps&quot;,&quot;crontabs&quot;,&quot;deployments&quot;,&quot;jobs&quot;, &quot;nodes&quot;,&quot;rolebindings&quot;,&quot;clusterroles&quot;,&quot;daemonsets&quot;,&quot;replicasets&quot;,&quot;statefulsets&quot;, &quot;horizontalpodautoscalers&quot;,&quot;replicationcontrollers&quot;,&quot;cronjobs&quot;</code></p></li> <li><p>verbs：对资源对象的操作方法列表</p> <p><code>&quot;get&quot;, &quot;list&quot;, &quot;watch&quot;, &quot;create&quot;, &quot;update&quot;, &quot;patch&quot;, &quot;delete&quot;, &quot;exec&quot;</code></p></li></ul> <p><strong>RoleBinding、ClusterRoleBinding</strong></p> <p>角色绑定用来把一个角色绑定到一个目标对象上，绑定目标可以是User、Group或者ServiceAccount。</p> <div class="language-yaml line-numbers-mode"><pre class="language-yaml"><code><span class="token comment"># RoleBinding可以将同一namespace中的subject绑定到某个Role下，则此subject即具有该Role定义的权限</span>
<span class="token key atrule">kind</span><span class="token punctuation">:</span> RoleBinding
<span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1beta1
<span class="token key atrule">metadata</span><span class="token punctuation">:</span>
  <span class="token key atrule">name</span><span class="token punctuation">:</span> authorization<span class="token punctuation">-</span>role<span class="token punctuation">-</span>binding
  <span class="token key atrule">namespace</span><span class="token punctuation">:</span> dev
<span class="token key atrule">subjects</span><span class="token punctuation">:</span>
<span class="token punctuation">-</span> <span class="token key atrule">kind</span><span class="token punctuation">:</span> User
  <span class="token key atrule">name</span><span class="token punctuation">:</span> heima
  <span class="token key atrule">apiGroup</span><span class="token punctuation">:</span> rbac.authorization.k8s.io
<span class="token key atrule">roleRef</span><span class="token punctuation">:</span>
  <span class="token key atrule">kind</span><span class="token punctuation">:</span> Role
  <span class="token key atrule">name</span><span class="token punctuation">:</span> authorization<span class="token punctuation">-</span>role
  <span class="token key atrule">apiGroup</span><span class="token punctuation">:</span> rbac.authorization.k8s.io
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br></div></div><div class="language-yaml line-numbers-mode"><pre class="language-yaml"><code><span class="token comment"># ClusterRoleBinding在整个集群级别和所有namespaces将特定的subject与ClusterRole绑定，授予权限</span>
<span class="token key atrule">kind</span><span class="token punctuation">:</span> ClusterRoleBinding
<span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1beta1
<span class="token key atrule">metadata</span><span class="token punctuation">:</span>
 <span class="token key atrule">name</span><span class="token punctuation">:</span> authorization<span class="token punctuation">-</span>clusterrole<span class="token punctuation">-</span>binding
<span class="token key atrule">subjects</span><span class="token punctuation">:</span>
<span class="token punctuation">-</span> <span class="token key atrule">kind</span><span class="token punctuation">:</span> User
  <span class="token key atrule">name</span><span class="token punctuation">:</span> heima
  <span class="token key atrule">apiGroup</span><span class="token punctuation">:</span> rbac.authorization.k8s.io
<span class="token key atrule">roleRef</span><span class="token punctuation">:</span>
  <span class="token key atrule">kind</span><span class="token punctuation">:</span> ClusterRole
  <span class="token key atrule">name</span><span class="token punctuation">:</span> authorization<span class="token punctuation">-</span>clusterrole
  <span class="token key atrule">apiGroup</span><span class="token punctuation">:</span> rbac.authorization.k8s.io
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br></div></div><p><strong>RoleBinding引用ClusterRole进行授权</strong></p> <p>RoleBinding可以引用ClusterRole，对属于同一命名空间内ClusterRole定义的资源主体进行授权。</p> <p>一种很常用的做法就是，集群管理员为集群范围预定义好一组角色（ClusterRole），然后在多个命名空间中重复使用这些ClusterRole。这样可以大幅提高授权管理工作效率，也使得各个命名空间下的基础性授权规则与使用体验保持一致。</p> <div class="language-yaml line-numbers-mode"><pre class="language-yaml"><code><span class="token comment"># 虽然authorization-clusterrole是一个集群角色，但是因为使用了RoleBinding</span>
<span class="token comment"># 所以heima只能读取dev命名空间中的资源</span>
<span class="token key atrule">kind</span><span class="token punctuation">:</span> RoleBinding
<span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1beta1
<span class="token key atrule">metadata</span><span class="token punctuation">:</span>
  <span class="token key atrule">name</span><span class="token punctuation">:</span> authorization<span class="token punctuation">-</span>role<span class="token punctuation">-</span>binding<span class="token punctuation">-</span>ns
  <span class="token key atrule">namespace</span><span class="token punctuation">:</span> dev
<span class="token key atrule">subjects</span><span class="token punctuation">:</span>
<span class="token punctuation">-</span> <span class="token key atrule">kind</span><span class="token punctuation">:</span> User
  <span class="token key atrule">name</span><span class="token punctuation">:</span> heima
  <span class="token key atrule">apiGroup</span><span class="token punctuation">:</span> rbac.authorization.k8s.io
<span class="token key atrule">roleRef</span><span class="token punctuation">:</span>
  <span class="token key atrule">kind</span><span class="token punctuation">:</span> ClusterRole
  <span class="token key atrule">name</span><span class="token punctuation">:</span> authorization<span class="token punctuation">-</span>clusterrole
  <span class="token key atrule">apiGroup</span><span class="token punctuation">:</span> rbac.authorization.k8s.io
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br></div></div><p><strong>实战：创建一个只能管理dev空间下Pods资源的账号</strong></p> <ol><li>创建账号</li></ol> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment"># 1) 创建证书</span>
<span class="token builtin class-name">cd</span> /etc/kubernetes/pki/
<span class="token punctuation">(</span>umask 077<span class="token punctuation">;</span>openssl genrsa -out devman.key <span class="token number">2048</span><span class="token punctuation">)</span>

<span class="token comment"># 2) 用apiserver的证书去签署</span>
<span class="token comment"># 2-1) 签名申请，申请的用户是devman,组是devgroup</span>
openssl req -new -key devman.key -out devman.csr -subj <span class="token string">&quot;/CN=devman/O=devgroup&quot;</span>     
<span class="token comment"># 2-2) 签署证书</span>
openssl x509 -req -in devman.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out devman.crt -days <span class="token number">3650</span>

<span class="token comment"># 3) 设置集群、用户、上下文信息</span>
kubectl config set-cluster kubernetes --embed-certs<span class="token operator">=</span>true --certificate-authority<span class="token operator">=</span>/etc/kubernetes/pki/ca.crt --server<span class="token operator">=</span>https://192.168.109.100:6443

kubectl config set-credentials devman --embed-certs<span class="token operator">=</span>true --client-certificate<span class="token operator">=</span>/etc/kubernetes/pki/devman.crt --client-key<span class="token operator">=</span>/etc/kubernetes/pki/devman.key

kubectl config set-context devman@kubernetes --cluster<span class="token operator">=</span>kubernetes --user<span class="token operator">=</span>devman

<span class="token comment"># 切换账户到devman</span>
kubectl config use-context devman@kubernetes

Switched to context <span class="token string">&quot;devman@kubernetes&quot;</span><span class="token builtin class-name">.</span>

<span class="token comment"># 查看dev下pod，发现没有权限</span>
kubectl get pods -n dev

Error from server <span class="token punctuation">(</span>Forbidden<span class="token punctuation">)</span>: pods is forbidden: User <span class="token string">&quot;devman&quot;</span> cannot list resource <span class="token string">&quot;pods&quot;</span> <span class="token keyword">in</span> API group <span class="token string">&quot;&quot;</span> <span class="token keyword">in</span> the namespace <span class="token string">&quot;dev&quot;</span>

<span class="token comment"># 切换到admin账户</span>
kubectl config use-context kubernetes-admin@kubernetes

Switched to context <span class="token string">&quot;kubernetes-admin@kubernetes&quot;</span><span class="token builtin class-name">.</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br><span class="line-number">24</span><br><span class="line-number">25</span><br><span class="line-number">26</span><br><span class="line-number">27</span><br><span class="line-number">28</span><br><span class="line-number">29</span><br><span class="line-number">30</span><br><span class="line-number">31</span><br></div></div><p>2） 创建Role和RoleBinding，为devman用户授权</p> <div class="language-yaml line-numbers-mode"><pre class="language-yaml"><code><span class="token key atrule">kind</span><span class="token punctuation">:</span> Role
<span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1beta1
<span class="token key atrule">metadata</span><span class="token punctuation">:</span>
  <span class="token key atrule">namespace</span><span class="token punctuation">:</span> dev
  <span class="token key atrule">name</span><span class="token punctuation">:</span> dev<span class="token punctuation">-</span>role
<span class="token key atrule">rules</span><span class="token punctuation">:</span>
<span class="token punctuation">-</span> <span class="token key atrule">apiGroups</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">&quot;&quot;</span><span class="token punctuation">]</span>
  <span class="token key atrule">resources</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">&quot;pods&quot;</span><span class="token punctuation">]</span>
  <span class="token key atrule">verbs</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">&quot;get&quot;</span><span class="token punctuation">,</span> <span class="token string">&quot;watch&quot;</span><span class="token punctuation">,</span> <span class="token string">&quot;list&quot;</span><span class="token punctuation">]</span>
  
<span class="token punctuation">---</span>

<span class="token key atrule">kind</span><span class="token punctuation">:</span> RoleBinding
<span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1beta1
<span class="token key atrule">metadata</span><span class="token punctuation">:</span>
  <span class="token key atrule">name</span><span class="token punctuation">:</span> authorization<span class="token punctuation">-</span>role<span class="token punctuation">-</span>binding
  <span class="token key atrule">namespace</span><span class="token punctuation">:</span> dev
<span class="token key atrule">subjects</span><span class="token punctuation">:</span>
<span class="token punctuation">-</span> <span class="token key atrule">kind</span><span class="token punctuation">:</span> User
  <span class="token key atrule">name</span><span class="token punctuation">:</span> devman
  <span class="token key atrule">apiGroup</span><span class="token punctuation">:</span> rbac.authorization.k8s.io
<span class="token key atrule">roleRef</span><span class="token punctuation">:</span>
  <span class="token key atrule">kind</span><span class="token punctuation">:</span> Role
  <span class="token key atrule">name</span><span class="token punctuation">:</span> dev<span class="token punctuation">-</span>role
  <span class="token key atrule">apiGroup</span><span class="token punctuation">:</span> rbac.authorization.k8s.io
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br><span class="line-number">24</span><br><span class="line-number">25</span><br></div></div><div class="language-bash line-numbers-mode"><pre class="language-bash"><code>kubectl create -f dev-role.yaml

role.rbac.authorization.k8s.io/dev-role created
rolebinding.rbac.authorization.k8s.io/authorization-role-binding created
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><ol start="3"><li>切换账户，再次验证</li></ol> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment"># 切换账户到devman</span>
kubectl config use-context devman@kubernetes

Switched to context <span class="token string">&quot;devman@kubernetes&quot;</span><span class="token builtin class-name">.</span>

<span class="token comment"># 再次查看</span>
kubectl get pods -n dev

NAME                                 READY   STATUS             RESTARTS   AGE
nginx-deployment-66cb59b984-8wp2k    <span class="token number">1</span>/1     Running            <span class="token number">0</span>          4d1h
nginx-deployment-66cb59b984-dc46j    <span class="token number">1</span>/1     Running            <span class="token number">0</span>          4d1h
nginx-deployment-66cb59b984-thfck    <span class="token number">1</span>/1     Running            <span class="token number">0</span>          4d1h

<span class="token comment"># 为了不影响后面的学习,切回admin账户</span>
kubectl config use-context kubernetes-admin@kubernetes

Switched to context <span class="token string">&quot;kubernetes-admin@kubernetes&quot;</span><span class="token builtin class-name">.</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br></div></div><h2 id="_9-4-准入控制"><a href="#_9-4-准入控制" class="header-anchor">#</a> 9.4 准入控制</h2> <p>通过了前面的认证和授权之后，还需要经过准入控制处理通过之后，apiserver才会处理这个请求。</p> <p>准入控制是一个可配置的控制器列表，可以通过在Api-Server上通过命令行设置选择执行哪些准入控制器：</p> <p><code>--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel, DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds</code></p> <p>只有当所有的准入控制器都检查通过之后，apiserver才执行该请求，否则返回拒绝。</p> <p>当前可配置的Admission Control准入控制如下：</p> <ul><li>AlwaysAdmit：允许所有请求</li> <li>AlwaysDeny：禁止所有请求，一般用于测试</li> <li>AlwaysPullImages：在启动容器之前总去下载镜像</li> <li>DenyExecOnPrivileged：它会拦截所有想在Privileged Container上执行命令的请求</li> <li>ImagePolicyWebhook：这个插件将允许后端的一个Webhook程序来完成admission controller的功能。</li> <li>Service Account：实现ServiceAccount实现了自动化</li> <li>SecurityContextDeny：这个插件将使用SecurityContext的Pod中的定义全部失效</li> <li>ResourceQuota：用于资源配额管理目的，观察所有请求，确保在namespace上的配额不会超标</li> <li>LimitRanger：用于资源限制管理，作用于namespace上，确保对Pod进行资源限制</li> <li>InitialResources：为未设置资源请求与限制的Pod，根据其镜像的历史资源的使用情况进行设置</li> <li>NamespaceLifecycle：如果尝试在一个不存在的namespace中创建资源对象，则该创建请求将被拒绝。当删除一个namespace时，系统将会删除该namespace中所有对象。</li> <li>DefaultStorageClass：为了实现共享存储的动态供应，为未指定StorageClass或PV的PVC尝试匹配默认的StorageClass，尽可能减少用户在申请PVC时所需了解的后端存储细节</li> <li>DefaultTolerationSeconds：这个插件为那些没有设置forgiveness tolerations并具有notready:NoExecute和unreachable:NoExecute两种taints的Pod设置默认的“容忍”时间，为5min</li> <li>PodSecurityPolicy：这个插件用于在创建或修改Pod时决定是否根据Pod的security context和可用的PodSecurityPolicy对Pod的安全策略进行控制</li></ul></div></section> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">Last Updated: </span> <span class="time">1/28/2022, 8:09:41 AM</span></div></footer> <!----> <div class="comments-wrapper"><!----></div> <ul class="side-bar sub-sidebar-wrapper" style="width:12rem;" data-v-70334359><li class="level-2" data-v-70334359><a href="/blogs/k8s/k8s-security.html#_9-1-访问控制概述" class="sidebar-link reco-side-_9-1-访问控制概述" data-v-70334359>9.1 访问控制概述</a></li><li class="level-2" data-v-70334359><a href="/blogs/k8s/k8s-security.html#_9-2-认证管理" class="sidebar-link reco-side-_9-2-认证管理" data-v-70334359>9.2 认证管理</a></li><li class="level-2" data-v-70334359><a href="/blogs/k8s/k8s-security.html#_9-3-授权管理" class="sidebar-link reco-side-_9-3-授权管理" data-v-70334359>9.3 授权管理</a></li><li class="level-2" data-v-70334359><a href="/blogs/k8s/k8s-security.html#_9-4-准入控制" class="sidebar-link reco-side-_9-4-准入控制" data-v-70334359>9.4 准入控制</a></li></ul></main> <!----></div></div></div></div><div class="global-ui"><div class="back-to-ceiling" style="right:1rem;bottom:6rem;width:2.5rem;height:2.5rem;border-radius:.25rem;line-height:2.5rem;display:none;" data-v-c6073ba8 data-v-c6073ba8><svg t="1574745035067" viewBox="0 0 1024 1024" version="1.1" xmlns="http://www.w3.org/2000/svg" p-id="5404" class="icon" data-v-c6073ba8><path d="M526.60727968 10.90185116a27.675 27.675 0 0 0-29.21455937 0c-131.36607665 82.28402758-218.69155461 228.01873535-218.69155402 394.07834331a462.20625001 462.20625001 0 0 0 5.36959153 69.94390903c1.00431239 6.55289093-0.34802892 13.13561351-3.76865779 18.80351572-32.63518765 54.11355614-51.75690182 118.55860487-51.7569018 187.94566865a371.06718723 371.06718723 0 0 0 11.50484808 91.98906777c6.53300375 25.50556257 41.68394495 28.14064038 52.69160883 4.22606766 17.37162448-37.73630017 42.14135425-72.50938081 72.80769204-103.21549295 2.18761121 3.04276886 4.15646224 6.24463696 6.40373557 9.22774369a1871.4375 1871.4375 0 0 0 140.04691725 5.34970492 1866.36093723 1866.36093723 0 0 0 140.04691723-5.34970492c2.24727335-2.98310674 4.21612437-6.18497483 6.3937923-9.2178004 30.66633723 30.70611158 55.4360664 65.4791928 72.80769147 103.21549355 11.00766384 23.91457269 46.15860503 21.27949489 52.69160879-4.22606768a371.15156223 371.15156223 0 0 0 11.514792-91.99901164c0-69.36717486-19.13165746-133.82216804-51.75690182-187.92578088-3.42062944-5.66790279-4.76302748-12.26056868-3.76865837-18.80351632a462.20625001 462.20625001 0 0 0 5.36959269-69.943909c-0.00994388-166.08943902-87.32547796-311.81420293-218.6915546-394.09823051zM605.93803103 357.87693858a93.93749974 93.93749974 0 1 1-187.89594924 6.1e-7 93.93749974 93.93749974 0 0 1 187.89594924-6.1e-7z" p-id="5405" data-v-c6073ba8></path><path d="M429.50777625 765.63860547C429.50777625 803.39355007 466.44236686 1000.39046097 512.00932183 1000.39046097c45.56695499 0 82.4922232-197.00623328 82.5015456-234.7518555 0-37.75494459-36.9345906-68.35043303-82.4922232-68.34111062-45.57627738-0.00932239-82.52019037 30.59548842-82.51086798 68.34111062z" p-id="5406" data-v-c6073ba8></path></svg></div><div class="reco-bgm-panel" data-v-b1d3339e><audio id="bgm" src="/music/1.m4a" data-v-b1d3339e></audio> <div class="reco-float-box" style="bottom:200px;z-index:999999;display:none;" data-v-b1d3339e data-v-41bcba48 data-v-b1d3339e><img src="https://y.qq.com/music/photo_new/T002R300x300M0000046Etze42qCxC_1.jpg" data-v-b1d3339e></div> <div class="reco-bgm-box" style="left:10px;bottom:10px;z-index:999999;" data-v-b1d3339e data-v-41bcba48 data-v-b1d3339e><div class="reco-bgm-cover" style="background-image:url(https://y.qq.com/music/photo_new/T002R300x300M0000046Etze42qCxC_1.jpg);" data-v-b1d3339e><div class="mini-operation" style="display:none;" data-v-b1d3339e><i class="reco-bgm reco-bgm-pause" style="display:none;" data-v-b1d3339e></i> <i class="reco-bgm reco-bgm-play" style="display:none;" data-v-b1d3339e></i></div> <div class="falut-message" style="display:none;" data-v-b1d3339e>
          播放失败
        </div></div> <div class="reco-bgm-info" data-v-b1d3339e data-v-41bcba48 data-v-b1d3339e><div class="info-box" data-v-b1d3339e><i class="reco-bgm reco-bgm-music music" data-v-b1d3339e></i>苍穹</div> <div class="info-box" data-v-b1d3339e><i class="reco-bgm reco-bgm-artist" data-v-b1d3339e></i>韩磊</div> <div class="reco-bgm-progress" data-v-b1d3339e><div class="progress-bar" data-v-b1d3339e><div class="bar" data-v-b1d3339e></div></div></div> <div class="reco-bgm-operation" data-v-b1d3339e><i class="reco-bgm reco-bgm-last last" data-v-b1d3339e></i> <i class="reco-bgm reco-bgm-pause pause" style="display:none;" data-v-b1d3339e></i> <i class="reco-bgm reco-bgm-play play" data-v-b1d3339e></i> <i class="reco-bgm reco-bgm-next next" data-v-b1d3339e></i> <i class="reco-bgm reco-bgm-volume1 volume" data-v-b1d3339e></i> <i class="reco-bgm reco-bgm-mute mute" style="display:none;" data-v-b1d3339e></i> <div class="volume-bar" data-v-b1d3339e><div class="bar" data-v-b1d3339e></div></div></div></div> <div class="reco-bgm-left-box" data-v-b1d3339e data-v-41bcba48 data-v-b1d3339e><i class="reco-bgm reco-bgm-left" data-v-b1d3339e></i></div></div></div><!----></div></div>
    <script src="/assets/js/app.b9ccfc55.js" defer></script><script src="/assets/js/4.8390fbcb.js" defer></script><script src="/assets/js/1.3334f995.js" defer></script><script src="/assets/js/19.459fc46f.js" defer></script>
  </body>
</html>
